On 2022-09-30, Jeremy Harris via Exim-users wrote:
> On 30/09/2022 09:11, Jasen Betts via Exim-users wrote:
>> Testssl.sh primes its ALPN requests based on the port number used
>
> What does it use for 25/465/567 ? I don't know of an actual Standard;
> I just picked the obvious for Exim.
I
On Fri, Sep 30, 2022 at 09:18:08PM +0100, Jeremy Harris via Exim-users wrote:
> On 30/09/2022 20:28, Viktor Dukhovni via Exim-users wrote:
> > Does "s_client -tls1_1 -cipher ALL:@SECLEVEL=0" work? Let's first
> > sort that out.
>
> It does not. The same Fatal Alert.
Presumably it'll work for
On 30/09/2022 20:28, Viktor Dukhovni via Exim-users wrote:
Does "s_client -tls1_1 -cipher ALL:@SECLEVEL=0" work? Let's first
sort that out.
It does not. The same Fatal Alert.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at
On Fri, Sep 30, 2022 at 08:14:20PM +0100, Jeremy Harris via Exim-users wrote:
> > Does its cipherlist end with ":@SECLEVEL=0" (or does it explicitly
> > set the security level via the OpenSSL API).
>
> The latter.
>
> I can add calls to read out bit of setup just before SSL_accept, if you
>
On 30/09/2022 19:17, Viktor Dukhovni via Exim-users wrote:
openssl_options = -no_sslv3 -no_tlsv1_1 -no_tlsv1
doesn't change the result.
That sets a floor, rather than clearing it. You're explicitly
turning off SSL 3.0, TLS 1.0 and TLS 1.1.
No. This is the exim option not an s_client
On Fri, Sep 30, 2022 at 07:05:52PM +0100, Jeremy Harris via Exim-users wrote:
> On 30/09/2022 18:34, Viktor Dukhovni via Exim-users wrote:
> > Do you also have a TLS version floor? "protocol version" sure sounds
> > like it.
>
> Not as far as I know, and
>openssl_options = -no_sslv3
On 30/09/2022 18:34, Viktor Dukhovni via Exim-users wrote:
Do you also have a TLS version floor? "protocol version" sure sounds
like it.
Not as far as I know, and
openssl_options = -no_sslv3 -no_tlsv1_1 -no_tlsv1
doesn't change the result.
There is indeed a "protocol version" fatal alert
On Fri, Sep 30, 2022 at 06:02:35PM +0100, Jeremy Harris via Exim-users wrote:
> On 30/09/2022 16:46, Viktor Dukhovni via Exim-users wrote:
> >> 00C0C6000800:error:0A0C0103:SSL
> >> routines:tls_process_key_exchange:internal
> >> error:ssl/statem/statem_clnt.c:2254:
> >>
> >> I'll try to
On 30/09/2022 16:46, Viktor Dukhovni via Exim-users wrote:
00C0C6000800:error:0A0C0103:SSL
routines:tls_process_key_exchange:internal error:ssl/statem/statem_clnt.c:2254:
I'll try to find some time to file a bug. Feel free to beat me to it.
Actually, this is expected behaviour:
On Fri, Sep 30, 2022 at 11:23:47AM -0400, Viktor Dukhovni via Exim-users wrote:
> I just reproduced the problem with a fresh build of 3.0.6-dev from
> github (built on FreeBSD 12.3):
>
> $ LD_LIBRARY_PATH=/var/tmp/openssl/lib /var/tmp/openssl/bin/openssl
> s_client -starttls smtp -tls1_1
On Fri, Sep 30, 2022 at 11:05:57AM -0400, Viktor Dukhovni via Exim-users wrote:
> > Clearing either no_tlsv1_1 or no_sslv3 has no effect.
>
> Of course, if there's no support, the CLI flags don't matter. TLS 1.1 does
> not work with OpenSSL 3.0.5, Though it looks more like a bug to me:
>
>
On Fri, Sep 30, 2022 at 03:48:18PM +0100, Jeremy Harris via Exim-users wrote:
> OpenSSL 3.0.5 5 Jul 2022running on Fedora 36
>
> I think using the distro standard package
> openssl-1:3.0.2-4.fc36.x86_64
> (though I note the numbers don't exactly line up)
>
> The failure mode is a TLS Alert
On 30/09/2022 15:48, Jeremy Harris wrote:
OpenSSL 3.0.5 5 Jul 2022 running on Fedora 36
I think using the distro standard package
openssl-1:3.0.2-4.fc36.x86_64
(though I note the numbers don't exactly line up)
Correction: openssl-1:3.0.5-1.fc36.x86_64
probably from the Fedora "updates"
On Fri, Sep 30, 2022 at 02:09:19PM +0200, Cyborg via Exim-users wrote:
> My POV here: "why waiting". Encryption doesn't slow down todays cpus
> anymore as it has 15 years ago, same for a smartphone soc.
Mobile devices have batteries, and large RSA keys have a real packet
size and latency cost.
On 30/09/2022 15:33, Viktor Dukhovni via Exim-users wrote:
On Fri, Sep 30, 2022 at 02:04:51PM +0100, Jeremy Harris via Exim-users wrote:
Note that this client won't work against current OpenSSL
default builds.
When you say "current" you mean 3.1-dev? What is the observed failure
mode? It
On Fri, Sep 30, 2022 at 02:04:51PM +0100, Jeremy Harris via Exim-users wrote:
> Ah, the difference is the total lack of TLS extensions
> in the Client Hello.
>
> Commit ece23f05d6 pushed.
>
> Note that this client won't work against current OpenSSL
> default builds.
When you say "current" you
On 30/09/2022 09:14, Jeremy Harris via Exim-users wrote:
On 30/09/2022 06:06, Jasen Betts via Exim-users wrote:
It seems to be ALPN causing the problem.
this was the commit that "broke" it...
commit f50a063dc0b96ac95b3a7bc0aebad3b3f2534c02 (HEAD)
Curious, given that the testsuite makes
Am 29.09.22 um 12:19 schrieb Evgeniy Berdnikov via Exim-users:
corps and gov entities, which states, that 2048 bit RSA keys, for any
purpose,*should* not be used anymore in 2022.
On 30/09/2022 09:11, Jasen Betts via Exim-users wrote:
Testssl.sh primes its ALPN requests based on the port number used
What does it use for 25/465/567 ? I don't know of an actual Standard;
I just picked the obvious for Exim.
--
Cheers,
Jeremy
--
## List details at
On 30/09/2022 06:06, Jasen Betts via Exim-users wrote:
It seems to be ALPN causing the problem.
this was the commit that "broke" it...
commit f50a063dc0b96ac95b3a7bc0aebad3b3f2534c02 (HEAD)
Curious, given that the testsuite makes non-ALPN connections
all over the place. I'll try to
On 2022-09-30, Andrew C Aitchison via Exim-users wrote:
> On Fri, 30 Sep 2022, Jasen Betts via Exim-users wrote:
>
>> On 2022-09-30, Viktor Dukhovni via Exim-users wrote:
>>> On Fri, Sep 30, 2022 at 01:21:21AM -, Jasen Betts via Exim-users wrote:
>>>
> With the older Exim, GnuTLS appears
21 matches
Mail list logo
